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Abstract. A recent trend in cryptography is to protect data and com- 
putation against various side-channel attacks. Dziembowski and Faust 
(TCC 2012) have proposed a general way to protect arbitrary circuits 
against any continual leakage assuming that: (i) the memory is divided 
into the parts, which leaks independently (ii) the leakage in each obser- 
vation is bounded (iii) the circuit has an access to a leak-free component, 
which samples random orthogonal vectors. The pivotal element of their 
construction is a protocol for refreshing the so-called Leakage-Resilient 
Storage (LRS). 

In this note, we present a more efficient and simpler protocol for refresh- 
ing LRS under the same assumptions. Our solution needs 0(n) opera- 
tions to fully refresh the secret (in comparison to J7(n 2 ) for a protocol of 
Dziembowski and Faust), where n is a security parameter that describes 
the maximal amount of leakage in each invocation of the refreshing pro- 
cedure. 

1 Introduction 

A leakage-resilient cryptography has been intensively studied in the recent years 
(cf. for instance |MR04[|DPUllFKPRi^lGIU0llDm 

DFlTl lDF12[|GR12] V This note is based on a work by Dziembowski and Faust 
[DF12]. It follows the assumptions, construction and notation from the men- 
tioned work. We briefly review the settings, for the complete description of the 
model we refer the reader to [DF12J. 

We first start with the definition of the Leakage- Resilient Storage (LRS) 
[DDV10J, which is a randomized encoding scheme (Enc : M. — > C x 1Z, Dec : 
CxlZ — > Ad), resilient to leakage in the following sense. Let to e Ad be a message, 
and let (/, r) := Enc(m). Then, an adversary that learns some partial information 
/(/) about I and (independently) g{r) about r should gain no information about 
the encoded message to. The idea is to keep I and r on the different memory parts, 
which leak independently. We will model that setting assuming that they are kept 
be different parties, which can perform computation and exchange messages. 
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More precisely (citing verbatim [ D FT2] ) , for some c, I, A € N let Mi, . . . , Mi £ 
{0, 1} C denote the contents of the memory parts, then we define a X-leakage game 
played between an adaptive adversary A, called a X-limited leakage adversary, 
and a leakage oracle Q{M\, . . . , Mg) as follows. For some m £ N, the adver- 
sary A can adaptively issue a sequence {(xi, °f requests to the oracle 
f2(M 1 ,...,M t ), where x t £ {1, . . . , £} and /, : {0, 1} C -> {0, 1} A * with A 4 < A. 
To each such a query the oracle replies with fi{M Xi ) and we say that in this case 
the adversary A retrieved the value fi(M Xi ) from M Xi . The only restriction is 
that in total the adversary does not retrieve more than A bits from each memory 
part. In the following, let (A <^ {Mi, . . . , Me)) be the output of A at the end of 
this game. 

An LRS $ is said to be (A, e)-secure, if for any S, S' £ M. and any A-limited 
adversary A, we have A(A <=* (L, R); A T± (£', R')) < e, where (L, R) 4- Enc(S) 
and (L',R') <- Enc(5"), for any two secrets 5", S' £ M. 

A variant of LRS <£JJ introduced in [DFllj is based of the inner-product 
extractor. A secret S £ F (where F is an arbitrary finite field) is encoded using 
two random vectors L, R £ ¥ n , such that S = (L,R). In this note we only allow 
the encodings such that L,R £ (F \ {0})". Moreover, we will assume that F is 
fairly large in comparison to n, that is |F| > An. Dziembowski and Faust [DF12J 
showed the following lemma. 

Lemma 1. Suppose |F| = Q{n). Then, LRS is (0.49 • log 2 |F"| - l,negl(n))- 
secure, for some negligible function negl. 

Dziembowski and Faust |DF12] have proposed a compiler, which transforms 
arbitrary circuits over F into functionally equivalent circuits secure against any 
continual leakage assuming that: 

1. the memory is divided into the parts, which leak independently, 

2. the leakage from each memory part is bounded, 

3. the circuit has an access to a leak-free component, which samples random 
orthogonal vectors. 

A pivotal point in the construction is the Refresh^ protocol, which refreshes the 
encoding of the secret. It is run by two parties Pj, holding L and Pr holding 
R. At the end of the protocol Pl outputs L' and Pr outputs R' such that 
(L, R) — (L' , R') but except of this (L 1 , R') is uniform and independent of (L, R). 

The only fact about Refresh^, which is used in the security proof presented 
in |DF12| is the existence of the reconstructor procedure (an idea introduced 
earlier in |FRR + 10] ). Informally, the reconstructor is a protocol that for inputs 
(L, L') held by P L and (R,R') held by P R (where L,L',R,R' £ (F \ {0})™) 
such that (L, R) — (L', R') allows the parties to reconstruct the views that they 
would have in the RefreshJJ (L, R) protocol, assuming that (L',R') is an output 
of Refresh^ (L,R). 

The Refresh^ protocol presented in |DF12] performs 0(n 2 ) operations. It 
is there used in a generalized multiplication" protocol as a sub-routine, what 
leads at the end to C*(n 4 ) blow-up of the circuit's size while securing it against 
leakages. The protocol presented in this note needs O(n) operations to refresh 
the secret, what leads to 0{n 2 ) blow-up of the circuit's size. 



2 Leakage-Resilient Refreshing of LRS 



Similarly as in |DF12) we assume that the players have access to a leak-free com- 
ponent that samples uniformly random pairs of orthogonal vectors. Technically, 
we will assume that we have an oracle O' that samples a uniformly random vec- 
tor ((A, A), (B, B)) 6 (F") 4 , subject to the constraint that the following three 
conditions hold: 

1. (A,B) + (A,B)=0, 

2. A l ^ for 1 < i < n, 

3. B % ^ for 1 < i < n. 

Note that although our oracle is slightly different from the oracle O used in 
|DF12j . it may be easily „simulated" by the players having access to O. 

The refreshing scheme is presented in Figure [T] The general idea behind the 
protocol is similar to one, which appeared in [DFI2J. Denote a :— (A,B)(= 
— (A, B)). The Steps [5] and [3] are needed to refresh the share of Pr. This is done 
by generating, with the "help" of (A, B) (coming from O 1 ) a vector X such that 

(L,X)=a. (1) 

The key difference between our approach and the protocol from [DF12J is a new 
and more efficient way of generating such X. Eq. |T]) comes from a summation: 
(L,X) = = YH^LiViBi = Eti^K 1 ^ = (A,B) = a. Then, 

vector X is added to the share of Pr by setting (in Step [3]) R' := R + X. Hence 
we get (L, R') = (L,R) + (L,X) = (L, R) + a. Symmetrically in Steps [5] and [S] 
the players refresh the share of P|_, by first generating X such that (X, R') — —a, 
and then setting V = L + X. By similar reasoning as before, we get (L 1 , R') = 
(L, R') — a, which, in turn is equal to {L, R). Hence, (L, R) = {L\ R'). 



3 Reconstructor for Refresh" 

We now show a reconstructor for the Refresh^ protocol. Informally, the recon- 
structor is a protocol that for inputs (L,L') held by P|_ and (R,R') held by Pr 
(where L,L',R,R' e (F \ {0})") such that (L,R) = (L',R') allows the parties 
to reconstruct the views that they would have in the Refreshp(L, R) protocol, 
assuming that (I/, R') is an output of Refreshp(L, R). The key feature of this re- 
constructor is that it does not require any interaction between the players. The 
only "common randomness" that the players need can be sampled offline be- 
fore the protocol starts. These properties are used in a security proof presented 
in |DF12| . 

We now formalize what it means that ReconstructRefresh^ is a reconstructor 
for RefreshJJ. This is done by considering two experiments depicted on Fig. |3j 
The next lemma shows that these experiments produce the same distributions. 



Protocol (L',R') <- RefreshF((L,i?)): 
Input (L,R): L <E (F\{0}) n is given to P L and R e (F\{0}) n is given to P R . 

1. Let ((A, A), (B,B)) <- O' and give (A, A) to P L and (B,B) to P R . 

Refreshing the share of Pr: 

2. The player P_ computes a vector V such that Vi := L~ x ■ Ai for 1 < i < n 
and sends V to Pr. 

3. The player Pr computes a vector X such that Xi := Vi ■ Bi for 1 < i < n 
and sets R' := R + X. 

4. If there exists i such that P.- = 0, then the protocol is restarted from the 
very beginning with the new vectors sampled from O' . 

Refreshing the share of p_: 

5. The player Pr computes a vector V such that Vi := P£ -1 - Bi for 1 < % < n 
and sends V to P_. 

6. The player p_ computes a vector X such that Xi := V ■ Ai for 1 < i < n 
and sets L' := L + X. 

7. If there exists i such that 14 — 0, then the protocol is restarted from the 
very beginning with the new vectors sampled from O' . 

Output: The players output (L',R'). 

Views: The view viewi_ of player p_ is (L, A, V, A, V) and the view viewR of 
player P R is (P, B, V, B, V). 



Fig. 1. Protocol Refresh^. Oracle O' samples random vectors (A,A,B,B) G 
(F \ {0})" x F™ x F™ x (F \ {0})" such that (A, B) = —(A, B). Note that the 
inverses in Steps [5] and [S] always exist, because L,R E (F \ {0})™. Steps 2] and 
[7] guarantee that this condition is preserved under the execution of the protocol 
Refresh^. It can be easily proven that the protocol is restarted with a bounded 
probability regardless of n (but keeping |F| > 4n), so it changes the efficiency of 
the algorithm only by a constant factor. 



Protocol Reconstruct Refresh? ((L, R),(L',R')): 



Input {(L, R), (L', P')): L. L' G (F \ {0}) n are given to P L and R, R' 6 (F \ {0}) n are 
given to Pr. 

Offline sampling: Vectors V and V are independently and uniformly sampled from 
(F \ {0})" and given to both players. 



1. The player fl_ computes a vector A such that A t := Vi ■ Li for 1 < i < n. 

2. The player Pr sets X := R' — R and computes a vector B such that Bi := Vf 1 ■ Xi 
for 1 < i < n. 

Reconstructing the "Refreshing the share of fl_" phase: 

3. The player Pr computes a vector B such that B 4 := Vi ■ R[ for 1 < i < n. 

4. The player P_ sets X := L' — L and computes a vector A such that Ai := V^ 1 ■ Xi 
for 1 < i < n. 



Views: The view view/L of player P\_ is (L, A, V, A, V) and the view view/R of player Pr 
is [R,B,V,B,V). 



Fig. 3. Experiments ExpRefresh(L, R) and ExpReconstructRefresh(L, R). 



Reconstructing the "Refreshing the share of Pr" phase: 



Fig. 2. Protocol ReconstructRefreshp 



Experiment ExpRefresh(L, R): 
Run the protocol Refresh^ ((L, R)) 
Output (L', R' , view L , view R ). 



Experiment 

ExpReconstructRefresh(L, R): 

Sample L',R' <— (F \ {0})™ such as 
(L,R) = (L, R). 

Run the protocol 

ReconstructRefreshp ((L, R), (Z/, R')). 
Output (L', R' , viewL, viewR). 



Lemma 2. For every L,R E (F \ {0})" we have that 

ExpRefresh(L, R) = ExpReconstructRefresh(L, R). 

Proof. We only show that the equality of distributions holds for the variables 
involved in the "Refreshing of the share of Pr phase" (the same fact for the other 
phase is proven analogously). These variables are 

L,R,A,B,V,X,R'. 

We prove it showing that each of the above variables has an identical condi- 
tional distribution given the previous variables in the series: 

1. L, R: Clearly in both experiments (L,R) is constant and identical; 

2. A: A is uniformly distributed over (F\ {0}) n independently of (L, R). In the 
first experiment it comes from the way it is sampled from O' . In the second 
scenario it is defined by the equation Ai := V, ■ Li for 1 < i < n. Hence, each 
Ai is a product of Vi distributed uniformly over (F \ {0}) and some fixed 
non-zero Li. Therefore Ai has a uniform distribution over (F \ {0}). 

3. B: B is uniformly distributed over F™ independently of (L,R,A). In the 
first experiment it comes from the way it is sampled from O' . In the second 
scenario it is defined by the equation Bi := V' 1 ■ Xi for 1 < i < n. Notice 
that R 1 has a uniform distribution over F" independent of (L,R, A), so X 
defined by X := R 1 — R is also uniform over F. Hence, each Bi is a product of 
some non-zero Vff and Xi distributed uniformly over F and independently 
of V . Therefore Bi has a uniform distribution over F. 

4. V: V is uniquely determined given (L, R, A, B) by the equation Vi := L~ 1 -Ai 
for 1 < i < n (Step-in Fig. [1] and Step Q] in Fig.©. 

5. X: X is uniquely determined given (L, _R, A, B, V) by the equation Xi = 
Vi - Bi for 1 < i < n (Step g] in Fig. [Hand Step-in Fig. [5]). 

6. R': R' is in both experiments equal to L + X . 
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